DOCSLIB.ORG

Securing Cyber Resilience in Health and Care: a Progress Update

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Securing Cyber Resilience in Health and Care: a Progress Update Securing cyber resilience in health and care: A progress update February 2018 DH ID box Title: Securing cyber resilience in health and care: A progress update Author: DDP/Cyber Security and Innovation/13920 Document Purpose: Policy Publication date: January/2018 Target audience: Parliament, Public, NHS providers, GP practices, Clinical Commissioning Groups, Commissioning Support Units Contact details: Digital, Data and Primary Care, Department of Health, Quarry House, Leeds / 39 Victoria Street, London You may re-use the text of this document (not including logos) free of charge in any format or medium, under the terms of the Open Government Licence. To view this licence, visit website www.nationalarchives.gov.uk/doc/open-government-licence/ © Crown copyright 2016 Published to gov.uk, in PDF format only. website www.gov.uk/dh 2 Introduction The scale of the challenge Cyber-attacks are an increasing global threat. There are regular reports of attacks impacting on different sectors and different countries around the world. The NHS has faced a number of cyber-attacks. The May 2017 WannaCry cyber-attack was unprecedented and the largest ever ransomware cyber-attack. And while it was not the target, WannaCry affected the NHS. With the next large-scale attack more of a question of "when" not "if", there remains a need for the health and care system to remain resilient against attack, to protect patient data and patient care. Since 2010 the Department of Health and Social Care (‘the Department’), working with its Arms- Length Bodies (ALBs), has led a significant programme to strengthen cyber resilience across health and care. In that time the Department has: • Supported NHS organisations to move off unsupported software systems; • Set up CareCERT1, a pioneering sector-specific national cyber support service; • Commissioned reviews by Dame Fiona Caldicott as National Data Guardian and the Care Quality Commission to reinforce cyber resilience across health and care, which recommended 10 Data Security Standards for health and care organisations; • Included these 10 Data Security Standards in the NHS Standard Contract; • Revised the Care Quality Commission "Well Led" inspection programme to include an assessment of cyber resilience; and • Commissioned a review by the Chief Information Officer for Health and Care on the lessons to learn from WannaCry. It was a result of the Department's programme of work and investment that most health and care organisations were unaffected by WannaCry last May. However, despite this programme of activity, WannaCry still affected at least 802 out of 236 NHS trusts. A further 603 primary care and other organisations were infected, including 595 out of 7,454 GP Practices. The NHS responded well to this attack, with no reports of harm to patients or patient data being lost. Government response There has been a long-standing Government-wide prioritisation of cyber security resilience, with the establishment of the National Cyber Security Centre to support this. The Department, together with its ALBs, has worked closely with the National Cyber Security Centre, the Cabinet Office and the National Crime Agency to ensure that the health sector plays its part in bringing cyber attackers to justice. Immediately after WannaCry, the Department took a number of further actions to ensure health and care organisations had strong cyber security measures established to be best placed to mitigate against cyber-attacks. In July 2017, the Department published Your Data: Better Security, Better Choice, Better Care in which it formally accepted the National Data Guardian's 1 CareCERT: Care Computer Emergency Response Team. 3 A progress update 10 Data Security Standards. As part of this, an implementation plan on securing data and cyber security was published which set out how we plan to deliver key data and cyber security actions. This included commissioning a review of WannaCry from the Chief Information Officer for the health and social care system in England to analyse the lessons learned, assess the actions required to reduce the risk and impact of a future cyber-attack and to make clear recommendations as to how this learning can be shared and implemented across the whole health and social care system. All actions set out in that plan have either been delivered or are in progress. This document summarises these actions. Making sure the NHS is as prepared as possible for cyber- attacks Incident response The Department reviewed its Data Security Incident Response Plan and NHS England led work to develop a system-wide Data and Cyber Security Operations Playbook. These set out clearly the roles and responsibilities of organisations and individuals during an incident. In December 2017, the Department tested these plans, alongside the key organisations, via a simulated table top cyber-attack exercise. Exercises such as this are an important part of the preparedness process, but in order to be most effective, lessons identified need to be reflected on, implemented, and then tested again. The Department and its ALBs held a de-brief after the exercise to capture the lessons identified, and are now taking these forward as the response plans go through their next iteration. Helping NHS organisations to address infrastructure weaknesses Patching Patching (also referred to as patch management) is a security practice designed to pro-actively prevent the exploitation of IT vulnerabilities that exist within an organisation. Before WannaCry, NHS Digital had issued CareCERT alerts to health and care organisations on how to respond effectively and safely to cyber security threat. However, WannaCry highlighted inadequate patching systems by infected NHS organisations despite patching advice from NHS Digital. Since WannaCry, NHS Digital has implemented CareCERT Collect, a system through which all NHS Trusts and Commissioning Support Units (CSUs), on behalf of CCGs, have to report within 48 hours on action they have taken on High Severity CareCERT alerts (i.e. implementing security patches and updating their anti-virus software). 100% of NHS trusts and CSUs were signed up by January 2018. Funding Following WannaCry, the Digital Delivery Board (the governing board for the Personalised Health and Care 2020 programme which oversees better use of data and technology) reprioritised £21m capital for our major trauma centre hospitals and ambulance trusts. This funding is being used to upgrade firewalls and network infrastructure, and support the transition from outdated hardware and operating systems to improve resilience. These organisations were asked to undergo independent on-site assessments before applying for some of this funding which they could use to tackle high priority critical infrastructure vulnerabilities identified in their assessments. Trusts have now been allocated their share of the £21m. This funding is helping to build resilience by: 4 Appendix A: Timeline of actions • Upgrading firewalls to secure networks; • Minimising risk to medical devices i.e. MRI scanners and blood test analysis devices; • Supporting use of software to fix security vulnerabilities or upgrades for software applications and technologies (also referred to as "patching") by replacing obsolete PCs and introducing device security tools; and • Improving anti-virus protection. A further £25m of capital funding has been identified in 2017/18 to support organisations that have self-assessed as being non-compliant against high severity CareCERT alerts, strengthening hardware and software across the system. A rigorous reprioritisation exercise is underway across the NHS IT portfolio to identify additional cyber investment between 2018/19 and 2020/21. As part of this, an initial £150m has been identified focused on continuing investment in local infrastructure as well as national systems and services to improve monitoring, resilience and response. Options for further reprioritisation and additional investment for cyber security are being looked at as future plans are refined. In addition to this national funding, local organisations will need to commit local capital and revenue funding to maintain and refresh their own IT estates, and to ensure that these are operating on supported versions of software. Unsupported systems The National Data Guardian and the Department have been clear that organisations should not be operating IT systems which are no longer developed or updated as these lack modern security controls and cannot cope with large volumes of data and multiple users. Around 4.7% of NHS devices were operating on Windows XP at the time of WannaCry. This is now 1.8% as at January 2018. In July 2017, NHS Digital published guidance to help local organisations to move off unsupported systems and to minimise the risk of unsupported systems where they are in use. As we move closer towards the end of extended support for Windows 7 in 2020, there is the need for organisations to continue to review and replace their systems, including where appropriate taking advantage of the guides and services offered by NHS Digital and through the Microsoft Custom Support Agreement (see below). NHS Digital agreed a Custom Support Agreement with Microsoft at the end of June 2017 which provided the following free services to NHS organisations: • Patching and support for Windows devices operating with Windows XP, Windows Server 2003 and Sequel server 2005; • Improved threat awareness through Microsoft’s Enterprise Threat Detection (ETD) service; • Windows 10 migration support,
Load more

Recommended publications
  • Memorandum of Understanding Between Public Health England and the Care Quality Commission
    Memorandum of Understanding between Public Health England and the Care Quality Commission INTRODUCTION 1. This Memorandum of Understanding (MoU) sets out the framework for the working relationship between Public Health England (PHE) and the Care Quality Commission (CQC). 2. PHE and the CQC recognise that there is a distinct and unique relationship between the two organisations. Accordingly the framework set out in this MoU takes account of that relationship and details ways in which PHE and the CQC will work together and alongside one another in delivering their respective statutory functions. The MoU is intended to communicate clearly and unambiguously that PHE and the CQC will work together where relevant and appropriate to do so. 3. PHE and the CQC recognise their respective statutory responsibilities and organisational status, but will always seek to collaborate and cooperate when relevant and appropriate to do so in delivering their core functions. 4. This MoU cannot override the statutory duties and powers of either PHE or the CQC and is not enforceable in law. However, PHE and the CQC agree to adhere to the principles set out in this MoU and will show proper regard for each other’s activities. 5. The MoU sets out principles that PHE and the CQC will follow in the course of day-to-day working relationships. The MoU may need to be supported by protocols and other documents not included here which set out in more detail operational considerations of how PHE and the CQC will work together. Statutory Responsibilities of PHE and the CQC 6. The Care Quality Commission (CQC) was established under the Health and Social Care Act 2008 (HSCA) and is responsible for the regulation of the quality of health and social care services.
    [Show full text]
  • Care Quality Commission
    A picture of the national audit office logo Report by the Comptroller and Auditor General Care Quality Commission Care Quality Commission – regulating health and social care HC 409 SESSION 2017–2019 13 OCTOBER 2017 Our vision is to help the nation spend wisely. Our public audit perspective helps Parliament hold government to account and improve public services. The National Audit Office scrutinises public spending for Parliament and is independent of government. The Comptroller and Auditor General (C&AG), Sir Amyas Morse KCB, is an Officer of the House of Commons and leads the NAO. The C&AG certifies the accounts of all government departments and many other public sector bodies. He has statutory authority to examine and report to Parliament on whether departments and the bodies they fund have used their resources efficiently, effectively, and with economy. Our studies evaluate the value for money of public spending, nationally and locally. Our recommendations and reports on good practice help government improve public services, and our work led to audited savings of £734 million in 2016. Care Quality Commission Care Quality Commission – regulating health and social care Report by the Comptroller and Auditor General Ordered by the House of Commons to be printed on 11 October 2017 This report has been prepared under Section 6 of the National Audit Act 1983 for presentation to the House of Commons in accordance with Section 9 of the Act Sir Amyas Morse KCB Comptroller and Auditor General National Audit Office 4 October 2017 HC 409 | £10.00 This report examines whether the Care Quality Commission is taking appropriate action to address the risks to people’s care.
    [Show full text]
  • The Health Care Workforce in England
    The health care workforce in England Make or break? November 2018 Summary In advance of the publication of the NHS long-term plan, this briefing highlights the scale of workforce challenges now facing the health service and the threat this poses to the delivery and quality of care over the next 10 years. It sets out the reasons why the long-term plan and supporting workforce strategy must address the urgent and mounting challenges facing the health care workforce. This briefing will be followed in the coming weeks by a more in-depth report that explores five key levers available nationally and locally that could help ameliorate the workforce crisis affecting both health and social care. Key messages • The workforce challenges in the NHS in England now present a greater threat to health services than the funding challenges. • Across NHS trusts there is a shortage of more than 100,000 staff. Based on current trends, we project that the gap between staff needed and the number available could reach almost 250,000 by 2030. If the emerging trend of staff leaving the workforce early continues and the pipeline of newly trained staff and international recruits does not rise sufficiently, this number could be more than 350,000 by 2030. • The current shortages are due to a number of factors, including the fragmentation of responsibility for workforce issues at a national level; poor workforce planning; cuts in funding for training places; restrictive immigration policies exacerbated by Brexit; and worryingly high numbers of doctors and nurses leaving their jobs early. • Central investment in education and training has dropped from 5% of health spending in 2006/7 to 3% in 2018/19.
    [Show full text]
  • Burscough Family Practice Privacy Notice – Legal Requirements to Share
    Burscough Family Practice Stanley Court Lord Street Burscough L40 4LA Burscough Family Practice Privacy Notice – Legal requirements to share How your information is shared so that this practice can meet legal requirements The law requires Burscough Family Practice to share information from your medical records in certain circumstances. Information is shared so that the NHS or Public Health England can, for example: plan and manage services; check that the care being provided is safe; prevent infectious diseases from spreading. We will share information with NHS Digital, the Care Quality Commission and local health protection team (or Public Health England) when the law requires us to do so. Please see below for more information. We must also share your information if a court of law orders us to do so. NHS Digital NHS Digital is a national body which has legal responsibilities to collect information about health and social care services. It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients. This practice must comply with the law and will send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012. More information about NHS Digital and how it uses information can be found at: https://digital.nhs.uk/home NHS Digital sometimes shares names and addresses of patients suspected of committing immigration offences with the Home Office. More information on this can be found here: https://www.gov.uk/government/publications/information-requests-from-the-home-office-to-nhs- digital Care Quality Commission (CQC) The CQC regulates health and social care services to ensure that safe care is provided.
    [Show full text]
  • Proposal to Transfer Functions from The
    Academy of Medical Sciences response to the Department of Health consultation on proposals to transfer functions from the Human Fertilisation and Embryology Authority and Human Tissue Authority September 2012 Summary 1. Health research underpins the prevention and treatment of ill health and brings benefits across the UK population. To ensure that maximum benefits are delivered it is essential that the regulation of health research should be proportionate to the risks and benefits to individuals and society. It is also vital that stakeholders have confidence in the regulator. The Academy’s response focuses on the research functions of the Human Fertilisation and Embryology Authority (HFEA) and the Human Tissue Authority (HTA); however it also takes into account clinical practice where it has a close relationship with research. 2. There is a great deal of support among our community for the HFEA and the HTA; both are perceived as having developed the experience to respond in a balanced, practical way to the changing landscape that reflects the evolving risks and benefits of research. The key focus of any changes to the current regulatory structures should be on facilitating research for patient benefit rather than solely on making cost savings. The relatively small savings to be made through disbanding the HFEA and the HTA need to be balanced against the inevitable period of disruption and uncertainty, and any potential risk of loss of expertise, efficiency, effectiveness and coherence that could hinder research and practice and result in the loss of public and professional confidence. In our deliberations, we have also considered the fact that these areas of regulation and governance are not perceived to present the greatest barriers to research by our community.
    [Show full text]
  • The Care Quality Commission
    BRIEFING PAPER Number 08754, 1 May 2020 The Care Quality By Elizabeth Parkin Commission Contents: 1. Key functions 2. Changes to the CQC’s approach 3. Enforcement action 4. Inspections 5. State of Care 6. Major reports www.parliament.uk/commons-library | intranet.parliament.uk/commons-library | [email protected] | @commonslibrary 2 The Care Quality Commission Contents Summary 3 1. Key functions 6 History 7 2. Changes to the CQC’s approach 9 Changes following the Mid Staffordshire NHS Foundation Trust Inquiry 9 Proposed changes following inspection at Whorlton Hall 11 3. Enforcement action 12 Enforcement powers 12 Criminal powers 13 Special measures for quality reasons 14 Special measures for finance reasons 15 4. Inspections 16 Frequency of inspections 16 Types of inspections 16 Factual accuracy 17 5. State of Care 18 6. Major reports 19 6.1 Mental health 19 6.2 Local system reviews 21 6.3 Restraint 22 Cover page image copyright Nurse Holding Elderly Patient's Hand by PortaldelSur ES. Licensed under CC BY-NC-SA 2.0 /image cropped 3 Commons Library Briefing, 18 February 2020 Summary This House of Commons Library briefing explains the statutory role and powers of the Care Quality Commission (CQC) The CQC was established in April 2009 and replaced three former regulatory bodies. The CQC is responsible for the registration, inspection and monitoring of health and adult social care providers, including independent providers, under the Health and Social Care Act 2008. All providers of health and adult social care who carry out “regulated activities” are required to register with the CQC and demonstrate they meet fundamental standards.
    [Show full text]
  • Annual Accountability Hearing with the Care Quality Commission
    House of Commons Health Committee Annual accountability hearing with the Care Quality Commission Ninth Report of Session 2010–12 HC 1430 House of Commons Health Committee Annual accountability hearing with the Care Quality Commission Ninth Report of Session 2010–12 Report, together with formal minutes, oral and written evidence Ordered by the House of Commons to be printed 6 September 2011 HC 1430 Incorporating HC 1203-ii (Qq 149–258), Session 2010–12 Published on 14 September 2011 by authority of the House of Commons London: The Stationery Office Limited £0.00 The Health Committee The Health Committee is appointed by the House of Commons to examine the expenditure, administration, and policy of the Department of Health and its associated bodies. Membership Rt Hon Stephen Dorrell MP (Conservative, Charnwood) (Chair)1 Rosie Cooper MP (Labour, West Lancashire) Yvonne Fovargue MP (Labour, Makerfield) Andrew George MP (Liberal Democrat, St Ives) Grahame M. Morris MP (Labour, Easington) Dr Daniel Poulter MP (Conservative, Central Suffolk and North Ipswich) Mr Virendra Sharma MP (Labour, Ealing Southall) Chris Skidmore MP (Conservative, Kingswood) David Tredinnick MP (Conservative, Bosworth) Valerie Vaz MP (Labour, Walsall South) Dr Sarah Wollaston MP (Conservative, Totnes) Powers The Committee is one of the departmental select committees, the powers of which are set out in House of Commons Standing Orders, principally in SO No 152. These are available on the Internet via www.parliament.uk. Publications The Reports and evidence of the Committee are published by The Stationery Office by Order of the House. All publications of the Committee (including press notices) are on the Internet at www.parliament.uk/healthcom.
    [Show full text]
  • The Structure of the NHS in England
    BRIEFING PAPER Number CBP 07206, 2 June 2020 The structure of the NHS By Thomas Powell in England Inside: 1. Background to NHS reform 2. Commissioning and regulation of health services 3. Access to treatment 4. Education and training 5. Public health services 6. Local authority scrutiny and Health and Wellbeing Boards 7. Safety of care 8. Competition and non-NHS providers 9. Technology and data 10. Integration of health and social care services 11. Health services in Scotland, Wales and Northern Ireland 12. Further information www.parliament.uk/commons-library | intranet.parliament.uk/commons-library | [email protected] | @commonslibrary Number CBP 07206, 2 June 2020 2 Contents Summary 3 1. Background to NHS reform 5 1.1 The Health and Social Care Act 2012 5 1.2 From the Five Year Forward View (2014) to the Long Term Plan (2019) 5 1.3 Funding and performance 10 2. Commissioning and regulation of health services 14 2.1 Clinical Commissioning Groups 14 2.2 NHS England 15 2.3 NHS Improvement 17 2.4 Shared NHS England and NHS Improvement leadership 18 2.5 NHS providers 18 2.6 The Care Quality Commission 19 2.7 NHS accountability to Government, Parliament and the public 20 2.8 Regulation of health and care professionals 22 3. Access to treatment 25 3.1 The NHS Constitution 25 3.2 NICE 26 3.3 Cost-effectiveness and drug pricing 28 3.4 Accelerated and early access to medicines 29 4. Education and training 31 5. Public health services 33 5.1 Public health and local government 33 5.2 Public Health England and directly commissioned services 33 5.3 Recent developments in public health policy 34 6.
    [Show full text]
  • Blowing the Whistle: a Failure of the Care Quality Commission to Ensure
    Blowing the whistle: an investigation into the Care Quality Commission’s regulation of the Fit and Proper Persons Requirement HC 1815 Blowing the whistle: an investigation into the Care Quality Commission’s regulation of the Fit and Proper Persons Requirement Presented to Parliament pursuant to Section 10(4) of the Parliamentary Service Commissioner Act 1967 Ordered by the House of Commons to be printed on 13 December 2018 HC 1815 © Parliamentary and Health Service Ombudsman copyright 2018 The text of this document (this excludes, where present, the Royal Arms and all departmental or agency logos) may be reproduced free of charge in any format or medium provided that it is reproduced accurately and not in a misleading context. The material must be acknowledged as Parliamentary and Health Service Ombudsman copyright and the document title specified. Where third party material has been identified, permission from the respective copyright holder must be sought. Any enquiries related to this publication should be sent to us at [email protected] This publication is available at https://www.gov.uk/government/publications ISBN 978-1-5286-0919-7 CCS1218130752 12/18 Printed on paper containing 75% recycled fibre content minimum Printed in the UK by the APS Group on behalf of the Controller of Her Majesty’s Stationery Office Contents Executive summary 2 The complaint 2 Background 2 Findings 3 Recommendations 3 The investigation report 4 Introduction 4 The complaint 4 Legal and administrative background 5 Background 9 Key events 10 Evidence from the CQC 13 Evidence from Ms K 20 Findings – maladministration 21 – injustice 26 Recommendations 28 Annex 29 Chief Executive.
    [Show full text]
  • Privacy Notice
    GILLMOSS MEDICAL CENTRE Legal requirements to share data How your information is shared so that this practice can meet legal requirements The law requires Gillmoss Medical Practice to share information from your medical records in certain circumstances. Information is shared so that the NHS or Public Health England can, for example: plan and manage services; check that the care being provided is safe; prevent infectious diseases from spreading. We will share information with NHS Digital, the Care Quality Commission and local health protection team (or Public Health England) when the law requires us to do so. Please see below for more information. We must also share your information if a court of law orders us to do so. NHS Digital NHS Digital is a national body which has legal responsibilities to collect information about health and social care services. It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients. This practice must comply with the law and will send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012. More information about NHS Digital and how it uses information can be found at: https://digital.nhs.uk/home 1 V2 Review January 2020 Care Quality Commission (CQC) The CQC regulates health and social care services to ensure that safe care is provided. The law says that we must report certain serious events to the CQC, for example, when patient safety has been put at risk.
    [Show full text]
  • Public Health England
    Inspection Report Public Health England Wellington House, 133-155 Waterloo Road, London SE1 8UG Inspection date(s) 17 & 24 February 2014 Publication date 2014 We inspected the following standards as part of a routine inspection. This is what we found: Respecting and involving people who use Met this standard services Care and welfare of people who use services Met this standard Requirements relating to workers Met this standard Assessing and monitoring the quality of service Met this standard provision Complaints Met this standard Inspection report Public Health England March 2014 www.cqc.org.uk 1 Details about this organisation Organisation Public Health England Overview of the Public Health England (PHE) was established as an service executive agency of the Department of Health on 1 April 2013 to protect and improve the nation’s health and wellbeing and reduce health inequalities. PHE brings together a range of functions and responsibilities previously delivered through a number of other organisations, including functions of the Health Protection Agency (HPA). The HPA was abolished on 1 April 2013. PHE’s national and local health protection functions were the focus of this inspection. These functions set out to protect the public from threats to their health from infectious diseases and environmental hazards. It does this by providing advice and information to the general public, to health professionals such as doctors and nurses, and to national and local government. Inspection report Public Health England March 2014 www.cqc.org.uk 2 Contents When you read this report, you may find it useful to read the sections towards the back called ‘About CQC inspections’ and ‘How we define our judgements’.
    [Show full text]
  • Report on Patient Transport Services[1].Pdf 1 10/04/2017 14:05
    Patient Transport Services The impact of privatisation and a better way forward 24330_covers.indd 1 10/04/2017 14:02 24330 Report on Patient Transport Services[1].pdf 1 10/04/2017 14:05 Contents Introduction ............................................................................................................................ 4 Executive Summary ............................................................................................................. 5 Key findings............................................................................................................................ 6 Survey ...................................................................................................................................... 9 Background .......................................................................................................................... 10 A Better Way ......................................................................................................................... 11 Reported Issues with Privatised PTS ............................................................................ 11 PTS Landscape .................................................................................................................... 16 Impact of Privatisation of PTS ......................................................................................... 18 Current PTS Provision ....................................................................................................... 19 Strategic Intentions of Ambulance
    [Show full text]